How to enable up VMware vSAN Encryption

2 min read
How to enable up VMware vSAN Encryption


This little post is a ‘how to guide’ for enabling encryption on VMware vSAN.  To do this, we’ll need a few ingredients:

  • A VMware vSphere 6.5 cluster with VMware vSAN enabled
  • A Key Management Server Solution (KMS)

The Key Management Server (not to be mistaken for Microsoft’s license key solution) provides encryption keys for vSAN encryption.  This should be a robust solution (ideally, multiple nodes) as without this, vSAN becomes inaccessible!  Also, a tip – don’t put your KMS solution in the vSAN you’re about to encrypt, that would be a really bad idea!

In the case of the estate stood up for this blog post, HyTrust KeyControl 4.1 was deployed.  It’s an easy to use product that does exactly what’s required.

Registering the KMS in VMware vSphere

VMware vCenter supports the KMIP standard (VMware have certified a number of products) for connected KMS servers.  In the case of our HyTrust KeyControl appliance, we have to enable the KMIP server service and set the protocol to version 1.1.

Hytrust Keycontrol Appliance

We also need to set up a service User account on here.  It’s important not to set a password for this account.  We’re using certificates to authenticate and setting a password prevents vSphere from using the account with the HyTrust solution.  We download the SSL certificate for the user (this is a ZIP file containing the CA certificate and user certificate as PEM files).

Logged on as an administrator in the VMware vCenter Web Client, we open up the configuration of the vCenter server and add our KMS:

Vmware Vcenter Web Client - Configure Vcenter Server

We enter a name for the cluster and the details for the first node (we can add other nodes under this cluster later).  The port is 5696 for most solutions.

We then have to trust the certificate for the Server:

Trust Certificate For Server

At this point, we have the configuration, but it’s yet to establish a trusted connection.  We need to establish the trust using the menu option below:

Kms Menu

There are a few ways of achieving this (see the screenshot below), but we’ll be uploading the certificates snagged earlier:

Establish Trust With Kms

In our case, we upload the User PEM twice:

Upload Pem Twice

And, voila, we’re ready to go forth and enable vSAN encryption

Ready To Enable Encryption

Enabling VMware vSAN Encryption

Here’s the easy bit.  We’ll assume that you already have vSAN up and running and will be enabling vSAN encryption.  If this is a pre-existing cluster, remember to leave room in the cluster to accommodate the emptying and reformatting of a host.  This operation will temporarily remove a host from the cluster as the disk formatting is changed.

We open the Cluster Configuration and select vSAN>General.

Cluster Configuration

Edit the settings to enable Encryption.  We can erase the disks before use if we wish, but the key item is selecting the KMS server and clicking OK.  Allowing reduced redundancy reduces the number of VM data moves while the process to encrypt is under way.

Edit Settings To Enable Encryption

At this point the cluster will reconfigure, enabling de-duplication.  This can take a little while so be patient. And that’s it done.

Cluster Reconfiguring

Closing Thoughts

This is a relatively simple feature to enable, providing a measure of data security for little effort.

If you’re considering developing a VMware vSAN based estate and need assistance, please contact Xtravirt, and we’d be happy to use our wealth of knowledge and experience to assist you.

Table of Contents
Subscribe to the Xtravirt Newsletter

Receive updates from the Xtravirt team, including information on new technologies and the expert analysis of cloud trends and strategies you should know about, unsubscribe anytime using the link included in every email.

Solutions Architect